Just a reminder that you can’t build a successful threat hunting program to detect the APT indicators everyone is posting unless you actually build the capacity to threat hunt - which had prerequisites, like understanding your environment and building collections of log sources.
Otherwise you’re just throwing pasta at the wall and hoping something will stick, and you don’t know if it means anything if it doesn’t.
Actual serious threat hunting: 1) Builds upon reasonably mature security monitoring capability 2) Requires actual well though out hypotheses about what an adversary might be doing in your environment based on architecture, Intel, Crown Jewels
Otherwise you’re just doing IOC and signature sweeps, which is fine, but it’s just monitoring and it won’t detect anything novel.
I’m going to go back to what I said a few days ago and remind you that the best way to stop or detect sophisticated attacks is to build good detection and defense in depth from the fundamentals. Threat hunting is awesome, but also requires a lot of that to be in place.
There are many people trying to jump from step A to Z right now because of sophisticated Intel reports out there. Just remember that it’s Intel people’s job to give you the most useful data they can, not to make sure you can actually use it or even know what’s on your network.
Threat hunting is proactive. You are making a scientific, testable, falsifiable hypotheses about what an adversary or malware could be doing in *your* environment. Then you try to *disprove* that hypothesis to a reasonable certainty using the correct sources in your environment.
Threat hunting exists to *detect things that signatures and static IOCs can’t* in routine monitoring. It’s how we detect new activity and target human efforts to detect what machines can’t detect well. So routine monitoring and IR capability comes first!
It’s absolutely positively 💯% fine to just be building your asset inventories or monitoring and detection capability or running IOC sweeps right now! Do those things first! Get those in place and threat hunting will come naturally.
I did a talk on this a WWHF this year and I hope it’s posted soon...
• • •
Missing some Tweet in this thread? You can try to
force a refresh
It’s challenging to try to explain to liberal and libertarian, privileged baby boomers who are not already activists why gen x, millennials, gen z are arguing for what they perceive as very extreme political and social change. Healthcare, college debt relief, or social justice...
Until I started having conversations with otherwise sensible older people who are center-left and do support things like gay marriage, I didn’t realize how much of a disconnect and blind spot there is. A lot of my 20s-40s friends are in serious perpetual debt with no healthcare..
Economically, structurally, and socially people’s lives have changed a lot in the past fifty years...
There are a lot more serious and valid complaints about Cyberpunk 2077, but can we also talk sometime about how V exposes themselves every time they sit in a chair while wearing a skirt?
I mean I'm a pretty sex-positive person but it feels like flashing everyone every time you sit down breaks immersion when nobody reacts.
Oh, if anybody was waiting for a review from me it's all true. It runs okay on my PC, but I've hit a lot of bugs and kludges, and the perpetual trans jokes are super-duper cringe. A pity because it's an interesting universe, soundtrack, and voice cast.
I hate the term "zero trust" for the same reason as I hate the term "security hygiene" - I absolutely 100% agree with the practice, yet think the term is totally misleading and that it's constantly misrepresented to sell marketing FUD.
You're still trusting shit. Just stop.
You're not brushing your network's teeth. Just stop.
Some of the greatest regrets of my youth involve not firmly and directly calling out internet men for wildly inappropriate behavior towards me (gaslighting, stalking harassment) before they went on to genuinely hurt someone else in IT.
If you think it’s cool or appropriate to try to pick up a person in her (physical or virtual) place of business for politely providing you a professional service, I really don’t know what to tell you. We don’t live in a crappy 80s rom com. I’d call you out.
Because, for the most part that’s not about liking or respecting the person. It’s about being willing to overstep her boundaries and disrespect her professional credentials purely for the sake of your own satisfaction and fantasies. If you really care, you could make an effort.
I hope your food turns out awful and your kids hate all their presents. I also hope people remember this when you apply for jobs in the future. This is one of the cruelest and most counterproductive moves I have ever heard of inside our industry. I am stunned.
It’s not “touchy feely” of me to point out this was bad. Not only is it stunningly unethical, the overall result on GoDaddy security will be objectively negative as it spoils the fragile relationship between infosec and staff for future IR, reporting, and policy adherence.
Auntie Lesley's subtweety social interaction tips #35:
When you comment on someone's photo and offer unsolicited criticism on 1) Technique 2) OSINT 3) Tool choice, and the poster replies. "I didn't ask for your opinion" or "Yes, I know",
That is the time to stop. Right there.
I know it is something you (at least think you) know a lot about,
I know you are passionate about it,
I know you are trying to help them / their followers,
I know you are sharing knowledge
That is not the venue. It is how you lose friends, community respect, and get blocked.
You can always go write your own tweet thread or blog, or post a video to educate people on the subject! That is perfectly fine! Go forth and share knowledge! Your viewpoint is valuable. Your criticism was not solicited.